Detecting and mitigating denial of service (“DoS”)/distributed DoS (“DDoS”) attacks can be a top priority for computer networks. Prolexic reported an average DoS/DDoS attack bandwidth of 5.2 Gbps, during 2011 Q4. (See, e.g., Reference 1). During the same period, Arbor Networks reported that 13% of DoS attacks were greater than 10 Gbps with 50% of them being application layer attacks. During Q3 2013, 46.5% of attacks were greater than 1 Gbps. Further the proportion of attacks in the 2-10 Gbps range more than doubled when compared to 2012 attacks. In the first half of 2013, the number of attacks over 20 Gbps was two times the attacks seen in 2012. (See, e.g., References 2 and 3). These attacks pose a major threat to computer networks. Poneman Institute LLC reports that the average cost of each minute of downtime was about $22,000 in 2012. (See, e.g., Reference 4). FIG. 1 shows a graph of the distribution of cost per downtime due to DoS attacks.
A DoS or DDoS attack can attempt to make an online service unavailable by overwhelming the service with a huge amount of network traffic from a single or multiple sources. (See, e.g., Reference 41). These attacks target a wide variety of important resources, from banks to government websites, and present a major challenge to computer networks. Arbor Networks observes more than 2000 DDoS attacks per day. (See, e.g., Reference 42). 33% of all the service downtime incidents can be attributed to DDoS attacks. (See, e.g., Reference 3). DoS and DDoS attacks are often considered as instruments to simply knock down online services. However, recent incidents show that these attacks are being consistently used to disguise other malicious attacks such as delivering malware, data-theft, wire fraud and even extortion for bitcoins. (See, e.g., References 44-46). In one case, a DDoS attack on a bank aided the concealment of a $900,000 cyberheist. (See, e.g., Reference 47).
Most host-based DDoS detection mechanisms employ rate-based filtering approaches, which set a threshold for a certain network parameter to detect and mitigate DDoS attacks. A generalized rate-based mechanism for DDoS defense system is shown in the diagram of FIG. 10. Widely used tools such as “DDoS-Deflate”, “Snort” (see, e.g., Reference 48), “DDoS-Deflate” (see, e.g., Reference 49), “Packet Dam” (see, e.g., Reference 50), “Lighttpd” (see, e.g., Reference 51), “Netflow Analyzer” (see, e.g., Reference 52), and “ConFigure Server Firewall (“CSF”)” (see, e.g., Reference 53) use this methodology for DDoS attack evaluation. The monitored parameter can be the number of concurrent connections, the number of open connection requests, page access or request rate, etc. If an internet protocol (“IP”) address crosses the threshold set by the defense tools, it can be considered a “BAD IP”, and banned/blacklisted by the Firewall. After a predefined duration of time, the “BAD IP” can be removed from the blacklist and it can be no longer considered a “BAD IP”. The threshold used in most of these mechanisms can be a static number predefined by the user. This can make the detection vulnerable to threshold learning attacks. An attacker can learn the threshold and can craft the DDoS attack to send malicious traffic with a rate below the threshold to bypass the detection mechanism. Thus, these attacks can persistently affect the victim for several days and evade the detection. Security reports illustrate that the current DDoS attacks last from a few hours to more than five days. (See, e.g., Reference 54).
Thus, it may be beneficial to provide an exemplary system, method and computer-accessible medium for network intrusion detection which can overcome at least some of the deficiencies described herein above.